German regulators inquire about Apple's use of Carrier IQ

Attention surrounding Carrier IQ, software found on mobile phones that can record detailed information about how and even where a device is used, has prompted a German data regulator to seek answers from Apple.

Apple issued a statement on Carrier IQ on Thursday, revealing that the data logging software has not been a part of "most of its products" since the release of iOS 5 in October, though traces of the inactive software do remain and will be removed in a future update. But the Bavarian State Authority for Data Protection seeks more answers than Apple provided in its two-sentence statement.

"We read in the press about the privacy concerns the software may pose and decided to ask Apple about the details, " Thomas Kranig, head of the data protection authority, said in an interview with Bloomberg. "If Apple decided to cease the use, all the better."

While much of the attention surrounding Carrier IQ has been about U.S. carriers, the company does have offices for customers in the Europe and Asia Pacific regions. Its U.S. headquarters is in Mountain View, Calif.

Apple was not named in a letter sent to Carrier IQ on Thursday by U.S. Sen. Al Franken, D-Minn., requesting information on how the company's software works. Franken has shown concern that Carrier IQ has the ability to log and transmit "extraordinarily sensitive information," including specific keys pressed and numbers dialed on a smartphone.

"We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update," Apple's official statement on the matter reads. "With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so."

The Carrier IQ controversy took off this week when security researcher Trevor Eckhart uploaded a video demonstrating how the software secretly runs in the background on a stock Android-based handset from HTC, even when in airplane mode with cellular data disabled. Carrier IQ was tracked as having access to every action conducted with the Sprint phone, including key presses, numbers dialed, contents of text messages, websites visited, and even location of the phone itself.

Like Apple, Google has distanced itself from the Carrier IQ controversy, stating that it does not include the company's software in its own devices with the stock version of Android, such as Nexus phones and the original Xoom tablet. But because Android is open source, that has given U.S. carriers, and hardware makers, the ability to quietly add Carrier IQ software into their phones, and run it in a way that it doesn't even appear in the operating system's list of active tasks.

Defending itself, Carrier IQ has said its software counts and summarizes the performance of handsets in an effort to aid carriers. Its software is installed on more than 141 million handsets, and Carrier IQ claims its customers "have stringent policies and obligations on data collection and retention," while its software is "not recording keystrokes or providing tracking tools."

Speaking to John Paczkowski of All Things D, a spokesperson for Carrier IQ explained that while the company's software can "listen" to a smartphone keyboard, it doesn't log or understand keystrokes. This can be used for a technician to have a customer enter a certain code that Carrier IQ will understand.

"It's simply looking for numeric sequences that trigger a diagnostic cue within the software," Paczkowski wrote. "If it hears that cue, it transmits diagnostics to the carrier."

The company explained that it's actually the carriers who decide what is to be collected and how long it's stored. Carrier IQ said that data is typically kept for about 30 days, and the data is in control of the carriers the entire time.

Among U.S. carriers, Verizon has outright denied that it uses Carrier IQ in any of its handsets. In a statement to GigaOm, the company said claims that Verizon uses Carrier IQ are "patently false."

But the other three major U.S. carriers -- AT&T, Sprint and T-Mobile -- have admitted that they do in fact use Carrier IQ. In statements provided to Computerworld, the carriers said the software is used to improve wireless network performance. Handset makers HTC and Samsung said Carrier IQ was integrated into their handsets at the requests of those carriers.

I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.

I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.

This news is very disappointing!

Opt out then (assuming you opted in) - I assume that this is not difficult, although I am not an iPhone user.

I've no problem with opting-in with Apple, but my issue is with Carrier IQ. Why doesn't Apple integrate their own software? Who the heck is this Carrier IQ? I don't want my info sent through their servers and databases.

This news is very disappointing!

I'm certain that Apple is using their own analytics. I'm certain there are other analytic software on phones that is being used that wasn't disclosed this week. It's only a big deal if it's 1) not anonymous, 2) you are not able to opt-out, 3) if they aren't disclosing what is being recorded, 4) if it's recording personal info like URLs, and/or 5) it has unacceptable features like a keylogger.

This bot has been removed from circulation due to a malfunctioning morality chip.

Opt out then (assuming you opted in) - I assume that this is not difficult, although I am not an iPhone user.

I did, however, I've been using iDevices since '07, and consumers need to know this kind of crap, I didn't know the info was filtering through a third party whose software records keystrokes and submits unencrypted HTTPS data. Apple may not be collecting such data but CIQ might've been since the data goes to their servers before being analyzed and sent to Apple.

I'm certain that Apple is using their own analytics. I'm certain there are other analytic software on phones that is being used that wasn't disclosed this week. It's only a big deal if it's 1) not anonymous, 2) you are not able to opt-out, 3) if they aren't disclosing what is being recorded, 4) if it's recording personal info like URLs, and/or 5) it has unacceptable features like a keylogger.

My concern is that CIQ records all data, sends it to their servers, and then sends analyzed data to Apple. The problem is CIQ, I do not want my data going to anyone other than Apple when I opt-in, especially unencrypted HTTPS info and keystrokes.

My concern is that CIQ records all data, sends it to their servers, and then sends analyzed data to Apple. The problem is CIQ, I do not want my data going to anyone other than Apple when I opt-in, especially unencrypted HTTPS info and keystrokes.

I'm pretty certain the data was anonymized, sent using SSL, and never recorded any high level actions. Not having it filter through multiple companies would be nice but it's not a deal breaker for me if enough precautions are taken on the device end.

Quote:

Originally Posted by el3ktro

They asked just Apple, given that so far in Germany Carrier IQ has only been found on iPhones, not on other devices.

Carrier IQ, sure, but that's not the issue. The issue is carriers requesting OEMs to monitor certain actions. The questions that should be asked are:

What analytic companies are used?

What analytics are being recorded?

How are they being sent?

Where are they being sent?

Carrier IQ isn't the villain here.

This bot has been removed from circulation due to a malfunctioning morality chip.

I'm pretty certain the data was anonymized, sent using SSL, and never recorded any high level actions. Not having it filter through multiple companies would be nice but it's not a deal breaker for me if enough precautions are taken on the device end.

Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.

Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.

Watch the videos

You're talking about devices with Android or iOS? I am talking strictly about iOS. If there is a video showing my iOS passwords going to Carrier IQ in plaintext there will be a class action filed by the end of day.

This bot has been removed from circulation due to a malfunctioning morality chip.

Unfortunately it wasn't, and actually any site you visited under Secure-HTTP or HTTPS to logon or make a purchase, your data was sent to ICQ without any encryption, your username and password goes to their servers as exposed text.

Watch the videos

That has certainly been claimed to be the case on Android devices, but not on iOS devices as far as I can see, which is consistent with Apple's statement (below) on the subject. The linked video only looked at two Android phones, unless I missed something. Are there others?

We stopped supporting Carrier IQ with iOS 5 in most of our products and will remove it completely in a future software update. With any diagnostic data sent to Apple, customers must actively opt-in to share this information, and if they do, the data is sent in an anonymous and encrypted form and does not include any personal information. We never recorded keystrokes, messages or any other personal information for diagnostic data and have no plans to ever do so.

So if the carriers, ie. Verizon, ATT, Sprint etc. have nothing to hide and are not engaging in something that is not forthrightly being disclosed to their customers, why are they behaving as if they do have something to hide?

I don't recall seeing any disclosure nor opt -in request that authorizes them to record in any fashion or other my use, conversation searches etc.

You start with secret detentions, secret prisons, creative language to describe torture and we roll down a slippery slope where the shadow government ( corporate miscreants) feels it has the same privilege and immunity.